The New York Times Is Wrong: Strong Passwords Can’t Save Us

On Nov. 7, The New York Times ran a story called “How to Devise Passwords That Drive Hackers Away.” Written by Silicon Valley correspondent Nicole Perlroth, the piece reigned over the paper’s Most Emailed List for a full week, and for a good reason: It’s properly freaked out about just how vulnerable we all are to hackers.

But by focusing on the password, it tries to prop up the unsustainable heart of our moldering security system — and it implicitly blames the victim for problems that big corporations let fester for selfish reasons. As I argue in my new cover story for Wired, the only solution is to kill the password entirely.

Much of the advice the Times offers up is quite good. No, you should not re-use passwords or use dictionary words as passwords. And, yes, your passwords should be long and complicated. Pass phrases are great! And security questions? You should never answer them honestly. (Just ask David Pogue.)

But the Times goes much further, advocating methods that no consumer should reasonably be expected to follow. To wit:

For sensitive accounts, [security expert] Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”

And:

Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you’re toast. Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password.

And: under the section headed “A Password Manager? Maybe” (The triumph of Carly Rae Jepsen!) we learn about the dangers of using password-management software like 1Password or LastPass:

Mr. Grossman said he did not trust the software because he didn’t write it.

Truly, words of wisdom for us all: We really should all should be writing our own password-management programs.

* * *

Yes, you are quite vulnerable to being hacked, and no matter what The New York Times tells you, passwords aren’t the solution; they are the very problem. The idea that you can devise passwords to keep hackers away is quaint and preposterous. It is an outdated, old-fashioned notion akin to protecting a city with a wall.

But in the age of Google, and Facebook, and Spokeo, social engineering has never been easier. There is a treasure trove of data about all of us, scattered across the internet, that can be easily used to gain password resets. Which means all of those precautions can be easily undone with the right phone call, or an errant click on a mobile browser, where the URL is often hidden to save screen real estate, or in any manner of other ways, on service to service. Hey, look, yesterday it was Skype. Tomorrow, maybe it will be your bank.

The real problem with passwords isn’t reuse or cracking. These are mere symptoms of a larger disease. Think of our password problem as being like polio.

Prior to 1900, polio was never a devastating pandemic. Though it has been with us since the dawn of civilization (like passwords!) its transmission wasn’t enough of a problem to cause large-scale epidemics. But as we entered the 20th century, a confluence of factors (larger populations living in cities with sewage treatment and without as much childhood exposure to the disease that created lowered overall immunity) created a new threat, and polio went from occasional outbreak, to epidemic, to pandemic. True, there were precautions individuals could take, but they were ineffective at stopping or slowing outbreaks. You couldn’t even protect yourself without taking extreme measures, like total isolation. It took the work of society and institutions to eradicate it in the developed world — not only to create vaccines but to get those vaccines into widespread circulation.

Like polio, the password problem is also an old problem and a new problem at the same time. Passwords have been cracked since they were invented, but until recently it wasn’t an issue that had widespread implications for most people. Today, however — for a variety of reasons I detail in my story for Wired‘s December issue — the problem has reached epidemic, if not pandemic, proportions. Yet instead of a systemic, universal vaccination, The New York Times is basically advocating that you go live in a cabin deep in the woods.

More importantly, the advice in this story makes the same mistake journalists make again and again, which is to put account security onus on the individual. But as individuals we are, for the most part, pretty powerless. This is Microsoft and Apple and Google and AT&T and Verizon and Bank of America and PayPal and Amazon’s job. And there’s a sure way to get their attention.

Here is a better idea than keeping an encrypted USB disk of passwords taped securely to the underside of your genitals: If a service does not offer you adequate protection, don’t use it. Want to know how to protect your password from hackers? Quit using insecure products.

For vital services — like your primary e-mail, or online banking account — you should demand at a minimum a second factor of authentication. That’s typically something you have like a code sent to your phone, or an app, or a token. If you can’t get that protection from the service you entrust with your vital data, don’t use it. I’ll say it again, because it is so important: If you are using e-mail or banking services from a provider that does not offer that second layer of protection in addition to the password, stop now. Today. Archive and delete all your messages. Transfer your money. Close your account. Seriously. Not kidding. Do it right now.

Good security is going to require tradeoffs. We’re going to have to get used to the notion that we either need to give up some of our privacy, or ease of access in order to achieve it. There’s just no other way.

The criminals — be they 15-year-old sociopaths or organized criminals — are coming for you. And your passwords won’t protect you. Even if you keep them on an encrypted USB stick.